- Timestamp:
- 09/13/18 13:18:45 (6 years ago)
- Location:
- branches/2931_OR-Tools_LP_MIP
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/2931_OR-Tools_LP_MIP
- Property svn:mergeinfo changed
-
branches/2931_OR-Tools_LP_MIP/HeuristicLab.Services.Hive
- Property svn:mergeinfo changed
-
branches/2931_OR-Tools_LP_MIP/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs
r15583 r16139 27 27 using DA = HeuristicLab.Services.Hive.DataAccess; 28 28 using DT = HeuristicLab.Services.Hive.DataTransfer; 29 29 using System.Collections.Generic; 30 using System.Linq; 30 31 31 32 namespace HeuristicLab.Services.Hive { 32 33 public class AuthorizationManager : IAuthorizationManager { 33 34 34 private const string NOT_AUTHORIZED = "Current user is not authorized to access the requested resource"; 35 private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource"; 36 private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project"; 37 private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job"; 38 private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource"; 39 private const string USER_NOT_IDENTIFIED = "User could not be identified"; 40 private const string TASK_NOT_EXISTENT = "Queried task could not be found"; 41 private const string PROJECT_NOT_EXISTENT = "Queried project could not be found"; 42 35 43 private IPersistenceManager PersistenceManager { 36 44 get { return ServiceLocator.Instance.PersistenceManager; } … … 47 55 public void Authorize(Guid userId) { 48 56 if (userId != ServiceLocator.Instance.UserManager.CurrentUserId) 49 throw new SecurityException(NOT_AUTHORIZED );57 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 50 58 } 51 59 … … 56 64 pm.UseTransaction(() => { 57 65 var task = taskDao.GetById(taskId); 58 if (task == null) throw new SecurityException( NOT_AUTHORIZED);66 if (task == null) throw new SecurityException(TASK_NOT_EXISTENT); 59 67 AuthorizeJob(pm, task.JobId, requiredPermission); 60 68 }); … … 68 76 } 69 77 78 // authorize if user is admin or resource owner 70 79 public void AuthorizeForResourceAdministration(Guid resourceId) { 80 var currentUserId = UserManager.CurrentUserId; 71 81 var pm = PersistenceManager; 72 82 var resourceDao = pm.ResourceDao; 73 83 pm.UseTransaction(() => { 74 84 var resource = resourceDao.GetById(resourceId); 75 if (resource == null) throw new SecurityException(NOT_AUTHORIZED); 76 if (resource.OwnerUserId != UserManager.CurrentUserId 85 if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 86 87 if (resource.OwnerUserId != currentUserId 77 88 && !RoleVerifier.IsInRole(HiveRoles.Administrator)) { 78 throw new SecurityException(NOT_AUTHORIZED); 79 } 80 }); 89 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 90 } 91 }); 92 } 93 94 // authorize if user is admin, project owner or owner of a parent project 95 public void AuthorizeForProjectAdministration(Guid projectId, bool parentalOwnership) { 96 if (projectId == null || projectId == Guid.Empty) return; 97 var currentUserId = UserManager.CurrentUserId; 98 var pm = PersistenceManager; 99 var projectDao = pm.ProjectDao; 100 pm.UseTransaction(() => { 101 var project = projectDao.GetById(projectId); 102 if (project == null) throw new ArgumentException(PROJECT_NOT_EXISTENT); 103 if(!RoleVerifier.IsInRole(HiveRoles.Administrator) 104 && !project.ParentProjectId.HasValue) { 105 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 106 } 107 108 List<Project> projectBranch = null; 109 if(parentalOwnership) projectBranch = projectDao.GetParentProjectsById(projectId).ToList(); 110 else projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList(); 111 112 if(!RoleVerifier.IsInRole(HiveRoles.Administrator) 113 && !projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)) { 114 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 115 } 116 }); 117 } 118 119 // authorize if user is admin, or owner of a project or parent project, for which the resources are assigned to 120 public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) { 121 if (projectId == null || projectId == Guid.Empty) return; 122 var currentUserId = UserManager.CurrentUserId; 123 var pm = PersistenceManager; 124 var projectDao = pm.ProjectDao; 125 var resourceDao = pm.ResourceDao; 126 var assignedProjectResourceDao = pm.AssignedProjectResourceDao; 127 pm.UseTransaction(() => { 128 // check if project exists (not necessary) 129 var project = projectDao.GetById(projectId); 130 if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 131 132 // check if resourceIds exist 133 if (resourceIds != null && resourceIds.Any() && !resourceDao.CheckExistence(resourceIds)) 134 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 135 136 // check if user is admin 137 if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return; 138 139 // check if user is owner of the project or a parent project 140 var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList(); 141 if (!projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId) 142 && !RoleVerifier.IsInRole(HiveRoles.Administrator)) { 143 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 144 } 145 146 // check if the all argument resourceIds are among the assigned resources of the owned projects 147 var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, currentUserId).ToList(); 148 if(resourceIds.Except(grantedResourceIds).Any()) { 149 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 150 } 151 }); 152 } 153 154 // Check if a project is authorized to use a list of resources 155 public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) { 156 if (projectId == null || projectId == Guid.Empty || resourceIds == null || !resourceIds.Any()) return; 157 var pm = PersistenceManager; 158 var assignedProjectResourceDao = pm.AssignedProjectResourceDao; 159 if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds)) 160 throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE); 161 } 162 163 // Check if current user is authorized to use an explicit project (e.g. in order to add a job) 164 // note: administrators and project owner are NOT automatically granted 165 public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) { 166 if(userId == null || userId == Guid.Empty) { 167 throw new SecurityException(USER_NOT_IDENTIFIED); 168 } 169 if(projectId == null) return; 170 171 var pm = PersistenceManager; 172 // collect current and group membership Ids 173 var userAndGroupIds = new List<Guid>() { userId }; 174 userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId)); 175 // perform the actual check 176 var projectPermissionDao = pm.ProjectPermissionDao; 177 if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) { 178 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 179 } 81 180 } 82 181 … … 93 192 94 193 private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) { 194 var currentUserId = UserManager.CurrentUserId; 95 195 var requiredPermissionEntity = requiredPermission.ToEntity(); 96 DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);196 DA.Permission permission = GetPermissionForJob(pm, jobId, currentUserId); 97 197 if (permission == Permission.NotAllowed 98 198 || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) { 99 throw new SecurityException(NOT_AUTHORIZED );199 throw new SecurityException(NOT_AUTHORIZED_USERJOB); 100 200 } 101 201 } -
branches/2931_OR-Tools_LP_MIP/HeuristicLab.Services.Hive/3.3/Manager/EventManager.cs
r15583 r16139 34 34 public void Cleanup() { 35 35 var pm = PersistenceManager; 36 37 pm.UseTransaction(() => { 38 FinishJobDeletion(pm); 39 pm.SubmitChanges(); 40 }); 41 36 42 pm.UseTransaction(() => { 37 43 SetTimeoutSlavesOffline(pm); … … 45 51 pm.SubmitChanges(); 46 52 }); 53 } 54 55 /// <summary> 56 /// Deletes all jobs which are in state "DeletionPending" (this will include all corresponding tasks). 57 /// The state "DeletionPending" is set by HiveJanitor > StatisticsGenerator 58 /// </summary> 59 private void FinishJobDeletion(IPersistenceManager pm) { 60 var jobDao = pm.JobDao; 61 jobDao.DeleteByState(JobState.DeletionPending); 47 62 } 48 63 -
branches/2931_OR-Tools_LP_MIP/HeuristicLab.Services.Hive/3.3/Manager/HeartbeatManager.cs
r15583 r16139 142 142 private IEnumerable<MessageContainer> UpdateTasks(IPersistenceManager pm, Heartbeat heartbeat, bool isAllowedToCalculate) { 143 143 var taskDao = pm.TaskDao; 144 var assignedResourceDao = pm.AssignedResourceDao; 144 var jobDao = pm.JobDao; 145 var assignedJobResourceDao = pm.AssignedJobResourceDao; 145 146 var actions = new List<MessageContainer>(); 146 147 if (heartbeat.JobProgress == null || !heartbeat.JobProgress.Any()) 147 148 return actions; 148 149 149 if (!isAllowedToCalculate && heartbeat.JobProgress.Count != 0) { 150 actions.Add(new MessageContainer(MessageContainer.MessageType.PauseAll)); 151 } else { 152 // select all tasks and statelogs with one query 153 var taskIds = heartbeat.JobProgress.Select(x => x.Key).ToList(); 154 var taskInfos = pm.UseTransaction(() => 155 (from task in taskDao.GetAll() 156 where taskIds.Contains(task.TaskId) 157 let lastStateLog = task.StateLogs.OrderByDescending(x => x.DateTime).FirstOrDefault() 158 select new { 159 TaskId = task.TaskId, 160 Command = task.Command, 161 SlaveId = lastStateLog != null ? lastStateLog.SlaveId : default(Guid) 162 }).ToList() 163 ); 164 165 // process the jobProgresses 166 foreach (var jobProgress in heartbeat.JobProgress) { 167 var progress = jobProgress; 168 var curTask = taskInfos.SingleOrDefault(x => x.TaskId == progress.Key); 169 if (curTask == null) { 170 actions.Add(new MessageContainer(MessageContainer.MessageType.AbortTask, progress.Key)); 171 LogFactory.GetLogger(this.GetType().Namespace).Log("Task on slave " + heartbeat.SlaveId + " does not exist in DB: " + jobProgress.Key); 172 } else { 173 var slaveId = curTask.SlaveId; 174 if (slaveId == Guid.Empty || slaveId != heartbeat.SlaveId) { 175 // assigned slave does not match heartbeat 150 var jobIdsWithStatisticsPending = jobDao.GetJobIdsByState(DA.JobState.StatisticsPending).ToList(); 151 152 // select all tasks and statelogs with one query 153 var taskIds = heartbeat.JobProgress.Select(x => x.Key).ToList(); 154 var taskInfos = pm.UseTransaction(() => 155 (from task in taskDao.GetAll() 156 where taskIds.Contains(task.TaskId) 157 let lastStateLog = task.StateLogs.OrderByDescending(x => x.DateTime).FirstOrDefault() 158 select new { 159 TaskId = task.TaskId, 160 JobId = task.JobId, 161 State = task.State, 162 Command = task.Command, 163 SlaveId = lastStateLog != null ? lastStateLog.SlaveId : default(Guid) 164 }).ToList() 165 ); 166 167 // process the jobProgresses 168 foreach (var jobProgress in heartbeat.JobProgress) { 169 var progress = jobProgress; 170 var curTask = taskInfos.SingleOrDefault(x => x.TaskId == progress.Key); 171 if (curTask == null) { 172 actions.Add(new MessageContainer(MessageContainer.MessageType.AbortTask, progress.Key)); 173 LogFactory.GetLogger(this.GetType().Namespace).Log("Task on slave " + heartbeat.SlaveId + " does not exist in DB: " + jobProgress.Key); 174 } else if (jobIdsWithStatisticsPending.Contains(curTask.JobId)) { 175 // parenting job of current task has been requested for deletion (indicated by job state "Statistics Pending") 176 // update task execution time 177 pm.UseTransaction(() => { 178 taskDao.UpdateExecutionTime(curTask.TaskId, progress.Value.TotalMilliseconds); 179 }); 180 actions.Add(new MessageContainer(MessageContainer.MessageType.AbortTask, curTask.TaskId)); 181 LogFactory.GetLogger(this.GetType().Namespace).Log("Abort task " + curTask.TaskId + " on slave " + heartbeat.SlaveId + ". The parenting job " + curTask.JobId + " was requested to be deleted."); 182 } else if (curTask.SlaveId == Guid.Empty || curTask.SlaveId != heartbeat.SlaveId) { 183 // assigned slave does not match heartbeat 184 actions.Add(new MessageContainer(MessageContainer.MessageType.AbortTask, curTask.TaskId)); 185 LogFactory.GetLogger(this.GetType().Namespace).Log("The slave " + heartbeat.SlaveId + " is not supposed to calculate task: " + curTask.TaskId); 186 } else if (!isAllowedToCalculate) { 187 actions.Add(new MessageContainer(MessageContainer.MessageType.PauseTask, curTask.TaskId)); 188 LogFactory.GetLogger(this.GetType().Namespace).Log("The slave " + heartbeat.SlaveId + " is not allowed to calculate any tasks tue to a downtime. The task is paused."); 189 } else if (!assignedJobResourceDao.CheckJobGrantedForResource(curTask.JobId, heartbeat.SlaveId)) { 190 // slaveId (and parent resourceGroupIds) are not among the assigned resources ids for task-parenting job 191 // this might happen when (a) job-resource assignment has been changed (b) slave is moved to different group 192 actions.Add(new MessageContainer(MessageContainer.MessageType.PauseTask, curTask.TaskId)); 193 LogFactory.GetLogger(this.GetType().Namespace).Log("The slave " + heartbeat.SlaveId + " is not granted to calculate task: " + curTask.TaskId + " of job: " + curTask.JobId); 194 } else { 195 // update task execution time 196 pm.UseTransaction(() => { 197 taskDao.UpdateExecutionTime(curTask.TaskId, progress.Value.TotalMilliseconds); 198 }); 199 switch (curTask.Command) { 200 case DA.Command.Stop: 201 actions.Add(new MessageContainer(MessageContainer.MessageType.StopTask, curTask.TaskId)); 202 break; 203 case DA.Command.Pause: 204 actions.Add(new MessageContainer(MessageContainer.MessageType.PauseTask, curTask.TaskId)); 205 break; 206 case DA.Command.Abort: 176 207 actions.Add(new MessageContainer(MessageContainer.MessageType.AbortTask, curTask.TaskId)); 177 LogFactory.GetLogger(this.GetType().Namespace).Log("The slave " + heartbeat.SlaveId + " is not supposed to calculate task: " + curTask.TaskId); 178 } else if (!assignedResourceDao.TaskIsAllowedToBeCalculatedBySlave(curTask.TaskId, heartbeat.SlaveId)) { 179 // assigned resources ids of task do not match with slaveId (and parent resourceGroupIds); this might happen when slave is moved to different group 180 actions.Add(new MessageContainer(MessageContainer.MessageType.PauseTask, curTask.TaskId)); 181 } else { 182 // update task execution time 183 pm.UseTransaction(() => { 184 taskDao.UpdateExecutionTime(curTask.TaskId, progress.Value.TotalMilliseconds); 185 }); 186 switch (curTask.Command) { 187 case DA.Command.Stop: 188 actions.Add(new MessageContainer(MessageContainer.MessageType.StopTask, curTask.TaskId)); 189 break; 190 case DA.Command.Pause: 191 actions.Add(new MessageContainer(MessageContainer.MessageType.PauseTask, curTask.TaskId)); 192 break; 193 case DA.Command.Abort: 194 actions.Add(new MessageContainer(MessageContainer.MessageType.AbortTask, curTask.TaskId)); 195 break; 196 } 197 } 198 } 199 } 200 } 208 break; 209 } 210 } 211 212 } 201 213 return actions; 202 214 }
Note: See TracChangeset
for help on using the changeset viewer.